Forum Discussion
Why can't the server generate a report about deleting folders and files?
Hello, I enabled Audit Policy through the following method: Open the Local Group Policy Editor (gpedit.msc). Navigate to Windows Settings -> Security Settings -> Advanced Audit Policy Configurat...
Hi, the issue is that event 4663 only logs access, not file deletion.
Here's how to fix it:
-Enable "Audit Handle Manipulation" in addition to "Audit File System" in gpedit.msc.
-Check the access type in the event details - it should include DELETE or DELETE_CHILD.
-Enable event logs 4656 and 4660, which track access requests and deletions.
-Configure folder auditing: Right-click the folder - Properties - Security - Advanced - Auditing - Add an entry to track deletion.
-Run gpupdate /force, delete a file/folder, and check the Event Viewer for the correct logs.
